5.4 Schema Flags Added in eDirectory 8.7

The READ_FILTERED and BOTH_MANAGED schema flags were added to eDirectory 8.7.

READ_FILTERED is used to indicate that an attribute is an LDAP OPERATIONAL attribute. LDAP uses this flag when it requests to read the schema to indicate that an attribute is “operational.” Some internally defined schema attributes now have this flag set. The LDAP “operational” definition includes three schema flags. In addition to the new READ_FILTERED flag, the other existing flags that are used to indicate “operational” are the READ_ONLY flag and the HIDDEN flag. If any of these flags is present on a schema definition, LDAP treats the attribute as “operational” and will not return that attribute unless specifically requested to do so.

BOTH_MANAGED is a new security rights enforcement mechanism. It is only meaningful on an attribute of Distinguished Name syntax. If set on such an attribute, it will require that the requesting connection have rights on both the target object and attribute and the object being referenced by the target attribute. This is an expansion of the current WRITE_MANAGED flag functionality. This flag is not currently set on any base schema attributes. This new security behavior will only occur on an eDirectory 8.7.x server or later versions, so for consistent behavior relating to this flag, the entire tree must be upgraded to eDirectory 8.7 or later versions of eDirectory.

Because only an eDirectory 8.7.x (or later versions) server will recognize these new flags, they can be set only on a schema definition by an eDirectory 8.7.x (or later versions) server which holds a copy of the root partition (because only servers holding root can do schema modifications). The normal installation of a new server or upgrading an existing server that doesn’t hold the root partition will not successfully add these new flags to the schema in your tree.

If you want either of these new features enabled in your tree, you need to ensure that the schema is successfully extended to add these new flags. There are two ways to do this. The first option is to choose a server that holds a writable copy of the root partition to be upgraded to eDirectory 8.7 or later. This will automatically extend the schema correctly with the new flags.

The second option is more involved and contains the following steps:

  1. Install a new 8.7.x (or later version) server or upgrade any existing server in the tree. This server does not need to hold a copy of [Root].

  2. Manually add a copy of the root partition to this new server.

  3. Rerun the appropriate schema extension files on that server to extend the schema:

    Platform

    Instructions

    Windows

    Load install.dlm, then click Install Additional Schema Files.

    Linux

    Use the ndssch utility. See Using the ndssch Utility to Extend the Schema on Linux for more information.

  4. Install the new schema files you choose that have these new flags set.

  5. (Optional) After the schema has synchronized, you can remove the root replica from this server.

NOTE:These new schema flags enable optional features. If you don’t need or want the new functionality, the absence of these new flags on the schema definitions will not cause any problems in the normal operation of eDirectory in your tree. In the case of the READ_FILTERED flag, it would not be present on some attribute definitions. Therefore, an LDAP read request for all attributes of an object might get some extra data it would not otherwise have received. Some attributes will still be treated as operational anyway because of the presence of the READ_ONLY or HIDDEN flag. The BOTH_MANAGED flag is intended only to be enabled on fully upgraded trees, because consistent operation of this feature can be achieved only in that environment.